Blackbyte Ransomware Registry
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
Sigma rule (View on GitHub)
1title: Blackbyte Ransomware Registry
2id: 83314318-052a-4c90-a1ad-660ece38d276
3status: test
4description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
5references:
6 - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
7 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
8author: frack113
9date: 2022-01-24
10modified: 2023-08-17
11tags:
12 - attack.defense-evasion
13 - attack.t1112
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject:
20 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
21 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
22 - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled
23 Details: DWORD (0x00000001)
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.
Read More -
During a recent malware incident response case, we encountered an interesting piece of ransomware that goes by the name of BlackByte.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Change User Account Associated with the FAX Service